CVE-2015-7547 getaddrinfo

Description

This bundle provides a trigger and dashboard that help to detect attempts to exploit CVE-2015-7547, a vulnerability within the getaddrinfo function from the GNU glibc library. The trigger records custom metrics whenever any of several types of suspicious activity are observed:

Malformed DNS Responses

Truncated DNS Responses

Large TCP DNS Responses

Large UDP DNS Responses

The bundle also provides several saved EXA queries enabling detailed analysis of the involved devices and DNS queries and replies. Lastly, precision packet captures are also provided for further analysis of suspicious activity using an external application.

Bundle Contents

(1) Trigger

CVE-2015-7547

(1) Dynamic Group

DNS Clients

(2) Record Formats

Jumbo DNS Responses

Malformed DNS Responses

(1) Dashboard

CVE-2015-7547 getaddrinfo

(1) Applications

CVE-2015-7547

Requirements

ExtraHop Discover Appliance running firmware version 5.2 or later.

Note: The supplied trigger depends upon a trigger event for detecting when a flow of data was malformed (FLOW_DETACH) which was not available by default prior to 5.2. An advanced user could edit the bundle to remove this event and the logic that utilizes it from the trigger to get it working in earlier versions.

ExtraHop Explore Appliance is optional in order to view transaction details.

Installation Instructions

Download the bundle on this page.

Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide.

(Optional) If not desired, disable storing packet captures by editing the trigger and commenting out lines 28-30 by inserting two forward slash ("/") characters before the code and saving it. For example: